Attackers use any means possible to compromise end-user accounts and use valid credentials to gain unauthorized access to business-critical systems. Phishing attacks have long been a standard means for threat actors to harvest user credentials. However, SMS phishing has become a growing problem with the same result: breached environments.
The rise of SMS phishing attacks
A recent example of SMS phishing that underscores the effectiveness of SMS phishing involved a financially driven threat group, UNC3944, targeting Microsoft Azure. The group uses a variety of attacks, including SMS phishing (Smishing) attacks against privileged users.
By executing SMS phishing and SIM-swapping techniques, they compromised credentials, impersonated these users, and deceived helpdesk agents into sending multi-factor authentication reset codes via SMS. It allowed them to gain administrator access to compromised Azure environments.
The attackers then employed Azure's Serial Console to obtain administrative command prompts within Azure VMs, where they deployed legitimate-looking remote administration tools.
It helps to emphasize just how dangerous SMS phishing can be, leading to compromise. However, what exactly is involved with Smishing, and how does this type of attack work?
How does Smishing work?
Smishing, or SMS phishing, employs tactics that mirror those used in traditional email phishing but adapts them to the text-based nature of SMS. Here's how Smishing typically unfolds:
Example of a smishing message
- Initiation: A deceptive text message is at the core of a smishing attack. The attacker aims to persuade the recipient to take specific action, like clicking an identity verification link.
- Scouting: Attackers often initiate what's known as 'scouting' attacks to enhance the likelihood of success. These preliminary messages may seem harmless or legitimate, acting as a ruse. By impersonating a known individual or organization, the attacker determines the viability of the target.
- Multifaceted Attacks: Smishing is effective in its ability to be used with other attacks. An attacker accessing a person's email and phone number can orchestrate a dual-pronged assault. For instance, a phishing email can complement a smishing message, reinforcing the deception. Additionally, an attacker could use the victim's phone number to place a call, adding another layer of authenticity to the attack.
Tech tools that can help to prevent SMS phishing attacks from being successful
Businesses are equally the targets of SMS phishing attacks, arguably more so with the sensitive data they contain. With the widespread use of mobile phones at work, businesses have increasingly turned to SMS as a formal channel for communication. Attackers capitalize on this shift in communications and exploit the public's familiarity with business-related SMS interactions.
Tech tools can be useful and effective in helping prevent SMS phishing attacks. Note the following tech tools that can help.
- Company Devices with Phishing Protection: Investing in smartphones with built-in phishing and malware protection can alert users to malicious links and attempts to steal personal information. Coupling this with mobile device management (MDM) solutions ensures these devices remain secure.
- Regular Software Updates: Keeping the OS and applications on mobile devices updated ensures that any known vulnerabilities are patched. Cybercriminals often exploit outdated software.
- Multi-Factor Authentication (MFA): A secondary layer of security, MFA requires additional pieces of information or tokens for access. Even if attackers obtain login credentials, MFA can stop unauthorized entry.
- Secure SMS Gateways: For companies that frequently use SMS for communication, secure gateways can encrypt messages, safeguarding sensitive information during transmission.
- Mobile Antivirus Solutions: Antivirus tools for mobile devices can detect and remove malicious applications, block phishing sites, and offer firewall protection against unauthorized data breaches.
Protecting service desks from these types of attacks
Smishing is often a risk at the service desk as businesses frequently use texts as an authentication method—end users are trained to accept text verification, and the routine of doing so can impact MFA fatigue. This auto-accept mentality can reduce the security of SMS verification, which is my true multi-step approaches to identity verification are more important than ever.
According to OKTA, several customers have recently experienced social engineering attacks against their IT helpdesk staff. The attacker's main tactic was to persuade these personnel to reset the Multi-factor Authentication (MFA) settings for users with high privileges. After gaining access to the top-tier Okta Super Administrator accounts, these attackers misused genuine identity federation features, allowing them to pose as members of the breached organization.
It shows no one, including IT personnel, is immune to social engineering tactics. Organizations must implement solutions to help prevent attacks against helpdesk staff and successfully validate the identity of users calling the helpdesk in multiple ways.
Specops Secure Service Desk is a tool designed to bolster IT security by enhancing user verification processes at the service desk. It reduces the risk of social engineering attacks by addressing vulnerabilities often found in service desk requests, like password resets.
Example of an admin view within Specops Secure Service Desk, verifying an end-user with MFA
Secure Service Desk ensures secure user authentication at the service desk using data from Active Directory and various authentication services, minimizing opportunities for user impersonation by an attacker. IT admins can configure different authentication services that must all be verified before the user's identity is validated. Additionally, it facilitates secure account unlocks and password resets using these same verification methods.
- Enforced user verification before password resets or account unlocks are successful
- Integration with advanced user verification methods like Okta, Symantec VIP, and Duo Security
- Multilingual support for both service desk agents and end-users
- Comprehensive system usage audit and reporting capabilities
- A customizable user interface for enhanced user experience
- Out-of-the-box (OOTB) functionalities for account unlock, password resets, and encryption key issuance
Specops Secure Service Desk can help your organization increase security against social engineering attacks, including SMS phishing, get in touch for a demo or free trial here.